"Unlock the Secrets of Data Privacy Interviews - You Won't Believe What They Ask!"

00:00

hello team welcome to my session on

00:02

coffee with prabh and today we're going

00:04

to discuss some interview questions

00:05

which is frequently asked in our data

00:07

privacy jobs my name is prabh Nair and

00:10

for more information you can check my

00:12

LinkedIn profile these questions I also

00:15

ask when I basically onboard any

00:17

consultant for the project so might be

00:19

this video useful for you

00:21

and if you're new to the channel do

00:22

subscribe to my YouTube channel and

00:24

click on the Bell icon to make sure you

00:25

should not miss my future videos on a

00:27

similar topic I also covered the

00:29

interview prep questions of the other

00:31

job skill set so might be that videos

00:33

will be useful for you my primary

00:35

objective behind this YouTube channel is

00:37

to just give a value to my clients value

00:40

to my stakeholders value to my

00:42

subscribers so that they gain

00:43

information from this particular Channel

00:46

so without wasting your time let's start

00:48

with the first part hello everyone my

00:51

name is prabh Nair and I'm working as a

00:53

chief instructor at infosectory

00:55

[Music]

01:09

foreign

01:11

okay so we are starting with the first

01:13

question can you tell me about what is

01:15

privacy or can you tell me more about

01:17

what is privacy see normally interview

01:20

when they ask this question from the

01:22

candidate they want to know the thought

01:24

process of the candidate okay what he

01:27

basically or what she perceive about

01:28

privacy because it is very important to

01:31

know the psychology of the candidate how

01:33

he take on how how she take the Privacy

01:36

as a subject okay because privacy is a

01:39

very complex thing when it comes to

01:40

their Solutions and all that it's a very

01:41

complex thing so in most of the

01:43

interviewers normally ask this question

01:45

just to understand what is a visibility

01:48

the candidate has about the privacy

01:51

so if you uh going to answer this

01:55

question or if I am going to answer this

01:56

question this is the normal response I

01:57

give to the question so privacy is a

01:59

state of information

02:01

in which one is not observed or

02:05

disturbed by the other people example

02:07

like my medical records so I have my

02:10

medical records okay I want that

02:13

information only with me so I have some

02:16

medical informations okay I went for

02:19

some test and this is my information and

02:21

is basically associate with me only so I

02:23

don't want this information

02:25

should go outside to any third person

02:29

because that is a state of information

02:30

for me and I might get Disturbed if that

02:33

information is available to third party

02:35

because he might misuse that information

02:37

for his personal benefit

02:39

that is why in some countries privacy is

02:42

a fundamental right okay and essential

02:44

to the freedom and protection of human

02:46

dignity and serving as a foundation upon

02:48

which many other human human rights are

02:51

basically built so this is how you can

02:53

able to present the statement so if

02:56

someone asks about what is privacy and

02:57

why it is important it's a state of

02:59

information which neither observed or

03:01

disturbed by the other people and it is

03:04

a fundamental rights in some countries

03:06

which is considered as a human dignity

03:08

and that is why in some countries we

03:10

have a dedicated law which basically

03:12

protect the privacy of an individual one

03:16

more important thing sometime in the

03:18

interview they also ask what is the

03:19

difference between the privacy

03:22

and secrecy

03:25

so privacy is a state of information

03:27

which deal with the individual

03:30

and secrecy is a state of information

03:32

which deal with the organization example

03:34

company has their internal business

03:36

informations they have their internal

03:38

trade secrets so that is called as

03:39

secret information and the information

03:41

which is mapped with the individual that

03:44

is basically called as a privacy

03:46

okay so let's move to the next interview

03:49

question

03:50

okay next question is what is the most

03:53

important requirement for a privacy

03:55

compliance

03:56

by asking this question interviewer want

03:58

to know your experience in the data

04:00

privacy area

04:01

because you know they cannot hire any

04:03

random consultant to manage a privacy

04:05

because it is something related to their

04:07

law regulations business requirement and

04:09

all that so they want to know your

04:11

experience they want to know your

04:12

knowledge on that particular area

04:15

so this is how I basically craft this

04:17

question that's why we have raised this

04:19

question what is the most important

04:20

requirement for privacy compliance and

04:22

as a client I will definitely ask this

04:23

question from a candidate

04:25

so answer is first understand the

04:27

regulation business requirement because

04:29

if you want to start building any kind

04:31

of a privacy system in the organization

04:33

we will definitely need to know okay

04:36

what are the current requirement we have

04:37

what is the business requirement we have

04:39

let's take example I joined one

04:42

European based company okay so this is

04:44

the company we have company a

04:47

so I joined this company so I need to

04:49

make sure that okay a company should be

04:52

comply with the gdpr

04:55

or they have a customer in U.S so I need

04:57

to be comply with uh HIPAA I need to be

05:00

comply with glba or if I'm basically

05:03

serving any kind of a customer in Canada

05:05

I need to be comply with the people die

05:07

and all that so first thing in order to

05:09

comply comply is basically mean Act of

05:12

abiding so in order to comply with gdpr

05:15

comply with h a pi and all that I need

05:17

to First understand the requirement

05:19

simple logic now like if I'm if I'm

05:20

going to someone's house I need to know

05:22

the rules and regulation of the house

05:23

right that is how I get the respect and

05:26

that is how I get my Safety and Security

05:27

same like as a company if I'm basically

05:30

operating in a particular region I need

05:32

to know the business requirement I need

05:34

to know the regulated requirement of

05:36

that particular region okay now if gdpr

05:38

say that okay you need to process data

05:40

in a pseudonymization so I need to make

05:42

sure what are the data is processing in

05:44

the EU it should be done in a

05:45

studentization if glb is saying that

05:48

tomorrow you need to keep the data

05:49

address in encrypted order I will keep

05:51

the data in encrypted order so before

05:52

implementing the encryptions and all

05:54

that I need to know what is the

05:56

requirement

05:57

so that is why that is the first step so

05:59

when you're going to explain in this way

06:00

you build the confidence in the

06:02

intervaries this guy has a knowledge

06:04

so Second Step appoint the data

06:06

Protection Officer in some cases we need

06:08

to have a data Protection Officer he is

06:10

just act like a data Steward who

06:12

understands the business requirement and

06:14

map the business requirement with the

06:15

legal requirements and he he or she will

06:18

be the person who will basically talk

06:19

about what is the requirement we need to

06:21

be comply with the Privacy Okay the

06:24

third most important thing we need to

06:25

create a privacy program management

06:27

because it include all the controls

06:29

procedures and everything by which we

06:31

basically maintain the Privacy

06:32

protection and then we basically create

06:35

a privacy policy which basically capture

06:37

the intent of the management because if

06:39

you want to enforce any kind of a

06:41

privacy practices in the organization it

06:43

need to be driven through a privacy

06:45

policy and then finally we conduct the

06:48

Privacy impact assessment which

06:50

basically all about what is basically

06:52

have and what we need to achieve so

06:54

privacy impact assessment is just like a

06:56

gap assessment to identify the level of

06:58

privacy requirement we have in the

07:00

process and what we currently have so

07:02

this is how the process we follow by

07:04

which we can able to compliance with any

07:07

privacy requirement

07:08

let's move to the next interview

07:10

question

07:12

okay next interview question is what is

07:15

privacy

07:16

program management

07:19

frequent question asked in the exam see

07:21

the way we creating a management system

07:23

isms information security management

07:25

system which basically talk about

07:28

all the information security controls to

07:30

protect the data and all that same like

07:32

when we're building a privacy concept of

07:34

privacy Engineering in the organization

07:36

it has a set of controls

07:38

okay and for that that set of controls

07:41

are organized in one particular system

07:43

and that system is called as a privacy

07:45

program management so privacy program

07:47

management is a frequent question which

07:49

is you know uh ask in the jobs and all

07:53

that so how you basically respond to

07:54

that so it is basically a comprehensive

07:56

approach to privacy and data protection

07:58

that is essential for all agencies

08:00

Enterprise and other organization that

08:03

handles personal data and it minimize

08:05

the risk of privacy breaches maximize

08:07

the ability to address the underlying

08:09

problems reducing the damage arising

08:11

from a bridge so in a layman term like

08:13

let's understand see privacy program is

08:15

all about uh you can say it's all about

08:18

establishing

08:23

establishing

08:30

implementing

08:31

and

08:35

continually improving an organization

08:37

primary program to ensure we can

08:40

basically compliance with the applicable

08:41

data privacy regulations so the way we

08:44

have isms information security

08:45

management system which basically

08:47

include all the controls and practices

08:49

same like I want to comply with privacy

08:51

regulation I want to comply with privacy

08:53

requirement so how to do that so we

08:55

basically build a system in which the

08:57

policies are there controls are there

08:58

and that that concept is basically

09:01

called as a privacy program management

09:03

now sometime what happened interviewer

09:05

also asks what are the steps is

09:07

basically required for Effective privacy

09:09

program management so in that the first

09:12

step is basically establish the Privacy

09:14

program that is the first step

09:19

establish the Privacy program okay

09:22

where we establish the program that

09:23

Define the organization approach to data

09:25

privacy set out the policy procedures

09:27

process for managing personal data then

09:30

second step is basically we conduct the

09:32

Pia

09:34

privacy impact assessment or privacy

09:36

risk assessment where we perform the

09:37

risk assessment to identify the

09:38

potential privacy risk to the

09:40

organization personal data is process

09:42

and then third step is basically called

09:44

as a develop the Privacy management plan

09:47

so this we develop the Privacy

09:49

management plan that outline the

09:50

organization strategy for mitigating

09:52

privacy risk and compliance with the

09:54

applicable data or any regulated

09:57

requirement and this plan should include

09:58

all the Privacy Control process and

10:00

procedure so that is what privacy

10:02

Management program is all about it

10:03

include the controls that we need to

10:05

apply include the processes and most

10:08

important include the procedure and then

10:10

once we create that the next thing what

10:12

we have to do is we need to implement

10:14

the

10:15

privacy controls

10:18

implement

10:22

privacy control so implement the Privacy

10:24

control is all about identifying the

10:26

Privacy management plan and this include

10:28

implementing technical control such as

10:29

encryption access control and all that

10:31

and once you basically implement the

10:33

control the next thing we have to do the

10:35

monitor

10:37

monitor is basically all about

10:38

monitoring the effectiveness of the plan

10:40

including your privacy Control process

10:42

to ensure you know ongoing compliance

10:44

with applicable data privacy regulation

10:46

we have then we need to have an instant

10:48

response plan where we develop and

10:49

implement the instant response plan to

10:50

respond to the Privacy incidents and we

10:52

need to train people on the

10:55

privacy activity so somebody's

10:57

established the Privacy program then

10:59

conduct the Pia then develop the Privacy

11:01

management system then implement the

11:03

Privacy control then Monitor and then we

11:05

have a train and review so this is how

11:08

you basically build the Privacy

11:09

management system in the organization so

11:11

it includes a set of activities it

11:13

include the set of controls process and

11:15

procedure we talk about how to maintain

11:17

the data privacy in the organization

11:19

okay let's move to the next interview

11:22

question as I said sometime interviewer

11:24

trying to confuse you with the very

11:26

basic questions because you should be

11:27

good in Basics and this is what the

11:30

basic question is what is the difference

11:31

between the Privacy versus secrecy

11:35

so privacy is a state of information

11:37

that deal with the individual like your

11:40

pii your health records WhatsApp chats

11:43

and all that okay which is something led

11:45

to your individual and secrecy is a

11:47

state of information which deal with the

11:49

Enterprise example like companies

11:51

business process and all that so that is

11:53

the Thin Line difference we have between

11:54

the privacy and secrecy

11:58

so let's move to the next interview

12:00

question

12:02

okay next question is what are the

12:05

important steps required for a gdpr

12:07

compliance now here I basically divided

12:10

the response into two part one is very

12:12

high level and one is basically detail

12:14

level now sometime what happened

12:16

interview basically asks this question a

12:18

different way example we already have a

12:19

compliance with other regulations but

12:22

you know we don't want to repeat the

12:24

same step so do you know any High

12:26

critical steps that we can consider by

12:27

which we can even directly comply with

12:29

gdpr

12:30

or you know what are the important

12:32

critical steps are required to be comply

12:33

with gdpr on a high level so this is

12:36

basically where the interviewer test

12:37

your experience they want to know your

12:40

experience in the gdpr area

12:42

so I have divided the response in two

12:44

part one is very high level and one is

12:45

very detailed level so high level is

12:48

updating the individual data consent and

12:51

disclosures normally current process we

12:53

have which is compliance with Pip die

12:54

and all that but according to gdpr we

12:56

need to update the consents current

12:58

policies privacy notices are compliant

13:00

with bibda so we will update all the

13:02

necessary requirement of jdpr and third

13:04

is implement the transparency

13:06

documentations okay whatever the

13:07

critical documents are required to be

13:09

comply with gdpr I am going to update

13:10

instead of going from a scratch so that

13:13

is basically a very high level steps but

13:15

if you want to go in detail then I have

13:17

also a step for that example like the

13:19

first step is uh

13:21

data mapping okay where we identify map

13:24

all the personal data okay which we

13:26

collect the process store including the

13:30

category of data location you know the

13:32

legal basis for processing it that is

13:34

the first step then we basically create

13:36

a privacy policy we need to develop and

13:37

implement the privacy policy because

13:39

privacy policy is a foundation of a

13:42

privacy governance okay always remember

13:44

any kind of a system program you want to

13:46

introduce in the organization the first

13:48

we need to create a policy for that so

13:49

policy is a Law and Order of the company

13:52

okay so develop and implement the policy

13:54

that inform individual about how that

13:56

data is collected how it's going to be

13:58

processed and how it going to be shared

14:01

then third important thing we need a

14:03

consent management so where we need to

14:05

establish the processes to obtain and

14:07

manage the consent from the individual

14:09

for collecting processing storing the

14:11

personal data how you're going to

14:12

process the data so that is required and

14:14

then once we have all these things on

14:16

that I need to identify the gaps and

14:18

that is basically where the Pia come

14:20

into the picture Pia is one of the most

14:22

important part of the Privacy management

14:25

system

14:26

because it conduct the assessment like

14:29

they identify the risk

14:31

they mitigate the Privacy risk

14:33

associated with the new project or

14:34

changes in the existing process let's

14:36

take an example uh where companies

14:38

already compliance with other

14:40

regulations and now uh

14:42

this company is planning to onboard a

14:45

new project from the EU

14:47

so they will try to understand what are

14:49

the requirement of this business

14:52

okay what is current control we have and

14:55

how we can basically comply on the gdpr

14:57

so let's take example uh we we have a

15:00

website which is basically collecting a

15:02

set of information

15:03

uh from the Canada

15:06

and our website is complied with Canada

15:07

now we are planning to launch this

15:09

website in the Europe so I need to see

15:10

what is a set of requirement we need in

15:12

the website okay so that we can

15:14

compliance with the gdpr

15:16

okay so we identify the risk oh there's

15:19

no consent mentioned there's no privacy

15:21

notice mentioned this is how we did the

15:22

Pia

15:24

okay so user want HTTP so if I use HTTP

15:27

there is an information disclosure so

15:28

this is against the principle of gdpr so

15:30

this is how I'm doing a Pia so if you

15:32

give such kind of an examples it builds

15:34

more confidence

15:35

so Pia is the most important thing so

15:38

once you it is done with the Pia the

15:39

next step is basically data subject

15:41

rights so data subject right is all

15:43

about you know implement the process to

15:45

manage the data subject rights including

15:47

the how we access the data how here

15:49

Rectify how he erase the data restrict

15:52

the processing data portability all this

15:53

thing need to be defined then we have a

15:56

database notification in gdpr the

15:58

mandated report breaching is 72 hours in

16:00

72 hours you need to report the data

16:02

breach so database notification we need

16:05

to establish the process here

16:07

to inform the individuals and all that

16:09

sometime what happened we onboard the

16:11

vendors also and we need to make sure

16:12

the vendors also compliance with your

16:14

privacy

16:15

vendor should be compliant with gdpr

16:16

because by end of the day you are the

16:18

one who accountable for the regulatory

16:19

so we need to implement the process to

16:21

ensure the third party vendors

16:23

compliance with the GDP requirement when

16:25

processing the personal data on behalf

16:27

of the organization

16:28

then we have our training and awareness

16:30

where we provide the regular trainings

16:32

to the employees to ensure they are

16:34

under GDP requirement and then we have a

16:36

minimum appointment of data protection

16:38

officers okay to oversee the gdpr

16:40

compliance and they should be serve as a

16:42

point of contact with supervised

16:44

Authority and regularly audit and review

16:46

just to make sure we are compliance with

16:48

all the gdbr requirement

16:50

so these are the detailed steps we have

16:52

by which you can able to comply with the

16:54

gdpr okay let's move to the next

16:57

interview question

16:59

okay how are you responding to the

17:02

Privacy breach privacy breach it means

17:04

it's up to more any breach happen how

17:05

are you going to respond to the breach

17:06

because here the interview want to know

17:08

your psychology of how you handle the

17:11

crisis

17:12

okay how good you are in handling the

17:14

crisis because fail to comply with

17:16

privacy or if there is a privacy breach

17:18

you need to face a Regulatory Compliance

17:21

penalties and all that so here one

17:22

interview want to know how you basically

17:24

handle such kind of a situation

17:26

so how are you responding to the Privacy

17:28

brief so first is contain the bridge

17:30

contain these example if system is

17:31

infected with the virus isolate a system

17:34

immediately from the network that is my

17:35

first priority instead of doing start

17:37

doing a troubleshooting there itself so

17:39

example like we have a server here

17:43

okay and this servers are basically

17:44

connected with the other servers so the

17:47

hacker

17:49

example like

17:51

hacker hack into the server and able to

17:54

access the data but I don't want further

17:55

damage so isolate a system from the

17:57

network that is the first thing and for

17:58

that I will first notify the instant

18:00

response team and they will basically

18:02

isolate a system immediately from the

18:04

network and then we do the further

18:06

investigation how they hack the system

18:07

so that is called as I contain the

18:09

breach contain the breach it mean limit

18:11

the breach second is we will evaluate

18:14

the risk associated with this bridge

18:15

okay what is the level of affected

18:17

things we have so example 20 of a data

18:20

got compromised so at least we save 80

18:22

of our data here so we evaluate the risk

18:24

associated with the beach okay then

18:26

according to gdpr I need to report the

18:28

breach so I will see the what is the

18:30

notification requirement we have I will

18:32

basically get it done the plan PR team

18:35

will be involved how to craft a message

18:36

and then we basically proceed with the

18:39

remediation lesson line remediation

18:40

lesson learn make sure this incident

18:42

should not be repeated again in the

18:44

future so that is how we basically do

18:46

the problem management root cause

18:47

analysis and all that so that is how I'm

18:49

going to respond to the breach

18:53

okay next interview question

18:56

very good question how to create a

18:57

privacy policy here the interviewer how

19:00

to create a privacy policy here the

19:02

interviewer want to know whether you are

19:03

good in writing and all that you you

19:05

have a good understanding of governance

19:07

and all that so the first step whenever

19:10

you're creating a policy is to

19:11

understand the business and legal

19:12

requirement one thing you need to

19:14

understand privacy is a foundation of

19:15

any governance okay

19:18

management intentions are covered in the

19:20

policies okay so example every system

19:22

must be protected with the password so

19:24

this is the statement come from the

19:26

management

19:27

so that is a policy so whenever you want

19:30

to build a privacy governance privacy

19:31

management privacy policy is a mandatory

19:34

step because it is created by the

19:35

Protection Officer and approved by the

19:37

Senior Management and whenever you're

19:39

creating a policy make sure a policy

19:41

capture all the business and legal

19:43

requirement that is a most important and

19:45

must as a category

19:46

then second is Define the scope and

19:49

statement okay like this policy is

19:51

basically applicable for which country

19:53

or policy application for which branch

19:55

or policy application for which business

19:56

process so example like we are the

19:58

multinational company where we have a

20:01

project from Canada we have a project

20:02

from us so according to us we need to

20:04

create a privacy policy for a U.S

20:06

process we need to create a privacy

20:08

policy for the gdpr we need to create a

20:10

privacy policy for pipda so we need to

20:12

Define here is this policy applicable

20:14

for which particular area so that is why

20:16

the scoping is very important otherwise

20:18

it is difficult for the people to follow

20:21

it is very important to include your

20:23

business names and contact information

20:24

so if someone if tomorrow someone is

20:26

confused with the policies and all that

20:27

there should be a point of contact that

20:30

the person can reach out

20:31

mention about what type of information

20:33

you're going to collect so the policy it

20:35

is very important Define what type of

20:37

information you collect

20:38

okay that's the most important thing

20:40

okay there are many different way we

20:41

collect the user information example

20:43

like contact form cookie survey course

20:45

registrations you know email newsletters

20:47

so this is something we need to Define

20:50

need to address how you're going to

20:52

collect and why so it's very important

20:54

Define the procedures okay because it

20:57

gives the clarity but why we need that

20:59

and last need to Define if user data is

21:01

shared with a third party if yes mention

21:03

that and last but not the least for how

21:05

long you want to collect the data

21:07

because by this is how you can able to

21:08

limit your liability because you have

21:11

collected data and you're keeping the

21:12

data in the database and tomorrow it got

21:14

hacked then you are answerable for that

21:17

so Define the retention period for how

21:19

long you're keeping the data okay so by

21:21

this way you can able to limit your

21:23

liabilities okay because we have a one

21:25

simple fundamental is the best way to

21:27

protect yourself from any kind of a

21:29

compliance issue is limit in the

21:31

collection of a data okay let's move to

21:33

the next interview question before

21:36

moving that there is one more important

21:37

thing policy need to be reviewed

21:39

annually or in the case of major change

21:41

in the business and policy when it

21:43

reviewed annually it need to be reviewed

21:45

with the version update so in the last

21:47

page there is called as a version update

21:48

like policy was revised on this

21:50

particular date and this is the version

21:51

information okay we also need to add the

21:54

policy exception process example

21:55

sometime things are goes against the

21:57

policies or sometimes we have to drive

21:59

some activity against the policy so we

22:01

need an exception approvals and that

22:03

also need to be tracked down and later

22:05

on annually we'll see how many time this

22:07

kind of an exception has been generated

22:08

and if it is basically generated

22:10

multiple times try to amend that in a

22:13

policies okay

22:15

now next thing is next interview

22:17

question is

22:20

what is your understanding of data

22:21

privacy and why is it important in today

22:24

World sometimes the interview want to

22:26

know your psychology behind the data

22:27

privacy

22:29

okay because it is very important until

22:31

now you don't have that state of mind

22:35

to understand the Privacy you cannot

22:36

able to implement the control

22:38

that is why my first question was also

22:40

on the data privacy introduction

22:42

so how you basically respond to that see

22:43

when you're talking about your response

22:46

is very simple so data privacy first of

22:48

all you give the definition like data

22:49

privacy refer to the protection of

22:50

personal information from unauthorized

22:52

access use disclosure and then you can

22:56

add some narratives here like in today

22:58

world where the personal information is

22:59

frequently collected shared process data

23:02

privacy is critical to ensure that you

23:04

know individual retain control over

23:06

their personal data and are protected

23:08

from the potential harm so this is how

23:09

you can basically start the statement

23:12

then you can give your observation like

23:15

why data privacy is important in today

23:17

world is first personal data can be used

23:20

for nefarious purpose right

23:22

such as identity theft Financial broad

23:25

or staking that's why it's very

23:27

important to have a data privacy second

23:29

is personal data can be sold to third

23:30

party who may use it for Target

23:32

individual that is what we need to

23:33

protect and third personal data can be

23:35

used to make the decision about

23:36

individuals such as whether they are

23:38

eligible for the loans insurance and all

23:40

that okay so overall data privacy is

23:42

essential to protect the individual

23:44

right maintaining trust in the

23:46

institutions and business that collect

23:48

the personal information and ensure the

23:50

personal data is used ethically and

23:51

reasonably so when you give this kind of

23:52

a narrative answer I'm sure it build the

23:54

confidence in the job

23:57

so sometime what happened the

23:58

interviewer also asks your experience on

24:01

the data privacy risk assessment okay

24:04

because sometime what happened whatever

24:06

mentioned in the book is different from

24:07

what is happening in the industry okay

24:09

so they will ask you sometime like can

24:11

you walk me through your approach to

24:12

performing a data privacy risk

24:14

assessment so how you start certainly

24:16

here is a general approach to perform

24:18

the data private series assessment the

24:20

first is identify the scope and purpose

24:22

of assessment

24:23

the first step in data privacy risk

24:25

assessment is to clearly Define the

24:26

scope okay the purpose of assessment and

24:29

this includes identifying the system

24:31

applications data that will include in

24:34

the assessment as well as objective of

24:36

the assessment second is we need to

24:38

identify the personal data definitely

24:40

what data we have we need to assess

24:42

okay which include analyzing a

24:43

sensitivity of a data potential impact

24:45

of a data breach unauthorized disclosure

24:47

third evaluating the existing control

24:49

that's another important thing where

24:51

we're reviewing the existing policy

24:53

procedure technical controls do they are

24:55

educate then the next thing is identify

24:57

the gaps what we have and what we need

24:59

to achieve okay so based on assessment

25:02

results we identify Gap in the current

25:03

controls like example I did the

25:05

assessment of the website I discovered

25:06

they are using SSL required is TLS okay

25:10

there's no multi-factor authentication

25:11

required multifact authentication so

25:13

that is how I identify gaps because a

25:16

good privacy consultant doesn't mean

25:17

okay start from scratch when we already

25:19

have some control we need to just

25:20

enhance those control and that is how

25:22

you can able to save the budget also so

25:24

identify gaps

25:26

and prioritize the remediations is it

25:28

clear and then based on that develop the

25:31

action plan so when I say develop an

25:33

action plan it outlined the remediation

25:35

actions timeline responsibilities that

25:37

is the most important thing okay and

25:40

then finally we have a monitor and

25:42

review where we basically monitor the

25:44

current control in place so this this

25:46

approach can be tailored to meet the

25:47

specific need and requirement of

25:49

organization that applicable to the data

25:51

privacy regulation so this is all from

25:54

my side do let me know shall we make

25:56

more coffee shots or interview questions

25:57

on data privacy shall I make some coffee

26:00

shots on cip-pci pm and how do you find

26:03

this video do share your feedback in a

26:05

comment section because I really put my

26:07

lot of hard work making this content and

26:09

if you find this video useful and if you

26:12

think this video can be

26:14

useful for your friends and all that do

26:16

share in your network and do subscribe

26:19

to my channel and click on the Bell icon

26:21

to make sure you should not miss my

26:22

future videos on a similar topic thank

26:24

you so much bye